Detection and identification of anomalies in wireless mesh networks using Principal Component Analysis (PCA)
(2009) In Journal of Interconnection Networks 10(4). p.517-534- Abstract
- Anomaly detection is becoming a powerful and necessary component as wireless networks gain popularity. In this paper, we evaluate the efficacy of PCA based anomaly detection for wireless mesh networks (WMN). PCA based method [1] was originally developed for wired networks. Our experiments show that it is possible to detect different types of anomalies, such as Denial-of-service (DoS) attack, port scan attack [1], etc., in an interference prone wireless environment. However, the PCA based method is found to be very sensitive to small changes in flows causing non-negligible number of false alarms. This problem prompted us to develop an anomaly identification scheme which automatically identifies the flow(s) causing the detected anomaly and... (More)
- Anomaly detection is becoming a powerful and necessary component as wireless networks gain popularity. In this paper, we evaluate the efficacy of PCA based anomaly detection for wireless mesh networks (WMN). PCA based method [1] was originally developed for wired networks. Our experiments show that it is possible to detect different types of anomalies, such as Denial-of-service (DoS) attack, port scan attack [1], etc., in an interference prone wireless environment. However, the PCA based method is found to be very sensitive to small changes in flows causing non-negligible number of false alarms. This problem prompted us to develop an anomaly identification scheme which automatically identifies the flow(s) causing the detected anomaly and their contributions in terms of number of packets. Our results show that the identification scheme is able to differentiate false alarms from real anomalies and pinpoint the culprit(s) in case of a real fault or threat. Moreover, we also found that the threshold value used in [1] for distinguishing normal and abnormal traffic conditions is based on assumption of normally distributed traffic which is not accurate for current network traffic which is mostly self-similar in nature. Adjusting the threshold also reduced the number of false alarms considerably. The experiments were performed over an 8 node mesh testbed deployed in a suburban area, under different realistic traffic scenarios. Our identification scheme facilitates the use of PCA based method for real-time anomaly detection in wireless networks as it can filter the false alarms locally at the monitoring nodes without excessive computational overhead. (Less)
Please use this url to cite or link to this publication:
https://lup.lub.lu.se/record/3131097
- author
- Zaidi, Zainab R. ; Hakami, Sara ; Moors, Tim and Landfeldt, Björn LU
- publishing date
- 2009
- type
- Contribution to journal
- publication status
- published
- subject
- in
- Journal of Interconnection Networks
- volume
- 10
- issue
- 4
- pages
- 517 - 534
- publisher
- World Scientific Publishing
- external identifiers
-
- scopus:77950344032
- ISSN
- 0219-2659
- DOI
- 10.1142/S0219265909002698
- language
- English
- LU publication?
- no
- id
- 234d7204-af60-4770-bee6-42cad0ab1661 (old id 3131097)
- date added to LUP
- 2016-04-04 10:47:00
- date last changed
- 2022-03-15 22:16:16
@article{234d7204-af60-4770-bee6-42cad0ab1661,
abstract = {{Anomaly detection is becoming a powerful and necessary component as wireless networks gain popularity. In this paper, we evaluate the efficacy of PCA based anomaly detection for wireless mesh networks (WMN). PCA based method [1] was originally developed for wired networks. Our experiments show that it is possible to detect different types of anomalies, such as Denial-of-service (DoS) attack, port scan attack [1], etc., in an interference prone wireless environment. However, the PCA based method is found to be very sensitive to small changes in flows causing non-negligible number of false alarms. This problem prompted us to develop an anomaly identification scheme which automatically identifies the flow(s) causing the detected anomaly and their contributions in terms of number of packets. Our results show that the identification scheme is able to differentiate false alarms from real anomalies and pinpoint the culprit(s) in case of a real fault or threat. Moreover, we also found that the threshold value used in [1] for distinguishing normal and abnormal traffic conditions is based on assumption of normally distributed traffic which is not accurate for current network traffic which is mostly self-similar in nature. Adjusting the threshold also reduced the number of false alarms considerably. The experiments were performed over an 8 node mesh testbed deployed in a suburban area, under different realistic traffic scenarios. Our identification scheme facilitates the use of PCA based method for real-time anomaly detection in wireless networks as it can filter the false alarms locally at the monitoring nodes without excessive computational overhead.}},
author = {{Zaidi, Zainab R. and Hakami, Sara and Moors, Tim and Landfeldt, Björn}},
issn = {{0219-2659}},
language = {{eng}},
number = {{4}},
pages = {{517--534}},
publisher = {{World Scientific Publishing}},
series = {{Journal of Interconnection Networks}},
title = {{Detection and identification of anomalies in wireless mesh networks using Principal Component Analysis (PCA)}},
url = {{http://dx.doi.org/10.1142/S0219265909002698}},
doi = {{10.1142/S0219265909002698}},
volume = {{10}},
year = {{2009}},
}